March 2010

« Aliens from the communist planet of Rooskee are invading peaceful, democratic planets and turning their inhabitants into “Communist Mutants”. The communist mutant armies are controlled by the Mother Creature, a strange alien who has gone mad due to irradiated vodka. »

Maybe this will be the only of his articles I translate – or maybe there will be others in the future… Meanwhile here is this one. I chose it because DNS hijacking is a subject I am sensitive about – and maybe because of the exoticism of Chinese shenanigans…

Before reading this interesting article, please heed this forewarning : as soon as we talk about China, we should admit our ignorance. Most people who pontificate about the state of the Internet in China do not speak Chinese – their knowledge of the country stops at the doorstep of international hotels in Beijing and Shanghai. The prize for the most ludicrous pro-Chinese utterance goes to the Jacques Myard, representative at the National Assembly and member of the UMP party, for his support for the Chinese dictatorship [translator’s note : he went on the record saying that “the Internet is utterly rotten” and went on to say that it “should be nationalized to give us better control – the Chinese did it”]. When it comes to DNS, one of the least understood Internet services, the bullshit production rate goes up considerably and sentences where both « DNS » and « China » occur are most likely to be false.

I am therefore going to try not emulating Myard, and only talk about what I know, which will make this article quite short and full of conditional. Unlike criminal investigations in US movies, this article will name no culprit and you won’t even know if there was really a crime.

DNS root servers hijacking for the purpose of implementing the policy (notably censorship) of the Chinese dictatorship has been discussed several times – for example at the 2005 IETF meeting in Paris. It is very difficult to know exactly what happens in China because Chinese users, for cultural reasons, but mostly for fear of repression, don’t provide much information. Of course, plenty of people travel to China, but few of them are DNS experts and it is difficult to get them to provide data from mtr or dig correctly executed with the right options. Reports on censorship in China are often poor in technical detail.

The root servers are not authoritative for facebook.com. The queried server should therefore have answered with a pointer to the .com domain. Instead, we find an unknown IP address. Someone is screwing with the server’s data :

Only UDP traffic is hijacked – TCP is unaffected. Traceroute sometimes ends up at reliable instances of the I server (for example, in Japan) which seem to suggest that the manipulation only affects port 53 – the one used by the DNS.

Affected names are those of services censored in China, such as Facebook or Twitter. They are censored not just for political reasons, but also because they compete with Chinese interests.

If you want to check it yourself, 123.123.123.123 is hosted by China Unicom and will let you resolve a name :

37.61.54.158 is a currently unassigned address and it does not belong to Facebook. [translator’s note : I get 243.185.187.39 which is also abnormal]

It is therefore very likely that rogue root servers exist in China and that Chinese ISP have hacked their IGP (OSPF for example) to hijack traffic bound toward the root servers. This does not quite explain everything – for example why the known good instances installed in China still see significant traffic. But it won’t be possible to know more without in-depth testing from various locations in China. A leak from this routing hack (similar to what affected YouTube in 2008) certainly explains how the announcement from the rogue server reached Chile.

Providing search across the indexes requires other parties to provide them, but that architectural constraint has paradoxically become a key driver of BitTorrent’s popularity by providing a simple business model. Ernesto at TorrentFreak explains that easy monetization explains the ubiquity of indexes : “BitTorrent sites can generate some serious revenue, enough to sustain the site and make a decent living. In general, ad rates per impression are very low, but thanks to the huge amounts of traffic it quickly adds up. This money aspect has made it possible for sites to thrive, and has also lured many gold diggers into starting a torrent site over the years“.

With commercial interests comes spam and legal vulnerabilities – so I feel much more comfortable knowing that decentralized protocols exist to provide resilience towards the censorship that lurks over us in the dark, waiting for us to become complacently reliant on centralized resources. Happy birthday Gnutella !

“That’s the problem of online communities – they cannot move. It doesn’t matter how good the community is now, people just wont agree to move to the same place as one… They fragment, people move, new ones form, but large groups just never manage to move as one to a new platform. You get fond memories, and happy surprises when names reappear on another community later”.

The proverbial cat herding is well known to anyone who has had to deal with human change management, but in online communities not bound by any organizational structure the problem is even worse.

Online communities will continue to rise and fall, and with that there will always be fond memories and happy surprises !

Solid state drives provide incredible IOPS compared to hard disks. But the consideration of cost rules them out as primary mass storage. But for most applications you would not consider storing everything in RAM either – yet RAM cache is part of any storage system. Why wouldn’t we take advantage of Solid state drives as an intermediary tier between RAM and hard disks ? This reasoning is what hierarchical storage management is about, but Sun took it one step further by integrating it into the file system as ZFS‘s Hybrid Storage Pools.

I hope that this sort of goodness will some day come to Linux through Btrfs, but ZFS provides it right now – and it is Free software too… So I guess that in spite of my religious fervor toward the GPL, my storage server’s next operating system will be a BSD licensed one… Who would have thought ?